Abstract
This paper explores the opportunity to consider the process-risk determination approach (presented in the upcoming ISO/IEC 33015 standard) as a means to determine the level of risk associated to personal data processing activities. It outlines how the rights and freedoms of individuals are impacted by the risks related to the organizational processes supporting the new citizens’ rights introduced by the General Data Protection Regulation (GDPR), which requires performing Data Protection Impact Assessment on data processing activities, in some specific circumstances.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
New proposal introduced on 2018-03-08, awaiting ballot results when writing this paper.
- 2.
ISO/IEC NP PDTR 33015 will be mentioned ISO/IEC 33015 in the rest of the paper to make reading easier.
- 3.
- 4.
- 5.
References
Picard, M., Renault, A., Barafort, B., Cortina, S.: Measuring readiness for compliance: a gap analysis tool to complete the TIPA process assessment framework. In: Kreiner, C., O’Connor, R.V., Poth, A., Messnarz, R. (eds.) EuroSPI 2016. CCIS, vol. 633, pp. 106–116. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44817-6_9
Cass, A., Völcker, C., Ouared, R., Dorling, A., Winzer, L., Carranza, J.M.: SPICE for SPACE trials, risk analysis, and process improvement. Softw. Process Improv. Pract. 9(1), 13–21 (2004)
Garcia, M.A., Viale, E., Bellotti, M., Alchieri, J.C.: A process-oriented approach for functional safety implementation in the automotive industry. In: Mas, A., Mesquida, A., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2012. CCIS, vol. 290, pp. 118–128. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30439-2_11
Ivanyos, J., Roóz, J., Messnarz, R.: Governance capability assessment: using ISO/IEC 15504 for internal financial controls and IT management. In: Internal Financial Control Assessment Applying Multilingual Ontology Framework - The MONTIFIC. Memolux Kft., FelelHos szerkesztHo és kiadó, Ivanyos János ügyvezetHo (2010)
ISO/IEC PDTR 33015.3: Information technology – Process assessment – Guide to process risk determination (2018)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016)
CNIL – Guidelines on GDPA. https://www.cnil.fr/en/guidelines-dpia. Accessed 12 July 2018
AEPD – Guía práctica para las evaluaciones de impacto en la protección de los datos sujetas al RGPD. https://www.aepd.es/media/guias/guia-evaluaciones-de-impacto-rgpd.pdf. Accessed 12 July 2018
ISO/IEC 15504-4: Information technology – Process assessment – Part 4: Guidance on use for process improvement and process capability determination (2004)
ISO/IEC 330xx Information Technology - Process Assessment (2013, 2017)
ISO/IEC 33002: Information technology – Process assessment – Requirements for performing process assessment (2014)
Article 29 Data Protection Working Party. Statement 14/EN WP 218 on the role of a risk-based approach to data protection legal frameworks adopted on 30 May 2014. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf?wb48617274=72C54532
Article 29 Data Protection Working Party. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. WP 248 rev.01 (2017)
Blume, P.: Data protection and privacy - basic concepts in a changing world. In: Scandinavian Studies in Law. ICT Legal Issues, vol. 56, pp. 151–164. Jure Law Books, Stockholm (2010)
McDermott, Y.: Conceptualizing the right to data protection in an era of big data. Big Data Soc. 4(1), 1–7 (2017)
ISO Guide 73: Risk management – Vocabulary (2009)
Barafort, B., et al.: ITSM Process Assessment Supporting ITIL: Using TIPA to Assess and Improve your Processes with ISO 15504 and Prepare for ISO 20000 Certification, vol. 217. Van Haren, Zaltbommel (2009)
ISO/IEC 33020: Information technology – Process assessment – Process measurement framework for assessment of process capability (2015)
Barafort, B., Renault, A., Picard, M., Cortina, S.: A Transformation process for building PRMs and PAMs based on a collection of requirements – example with ISO/IEC 20000. In: 8th International SPICE 2008 Conference, Nuremberg (2008)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Cortina, S., Valoggia, P., Renault, A., Barafort, B. (2018). Process Risk Determination Supporting Data Protection Impact Assessment. In: Stamelos, I., O'Connor, R., Rout, T., Dorling, A. (eds) Software Process Improvement and Capability Determination. SPICE 2018. Communications in Computer and Information Science, vol 918. Springer, Cham. https://doi.org/10.1007/978-3-030-00623-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-00623-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00622-8
Online ISBN: 978-3-030-00623-5
eBook Packages: Computer ScienceComputer Science (R0)